Learn to read the obscure WindowsUpdate.log file

Home

Newsletter

Search

Reviews

Polls

Contact

This issue

Library

Upgrade

Preferences

Unsubscribe

Windows Secrets Newsletter • Issue 207 • 2009-07-23 • Circulation: over 400,000

Free download — speed up your computer
RegCure automatically and instantly fixes all your Windows errors. This results in a fully optimized PC that runs fast and error-free. RegCure was developed by a team of over 100 professionals with an end goal of creating an application that is user-friendly and accomplishes the crucial task of keeping your PC running smoothly. Download RegCure now and optimize your entire PC in under 2 minutes!
RegCure

Table of contents
TOP STORY: Learn to read the obscure WindowsUpdate.log file
WACKY WEB WEEK: The transforming of the greatest "blanket" ever
LANGALIST PLUS: How to correct Device Manager hardware errors
WOODY'S WINDOWS: Important Windows 7 questions remain unanswered
PATCH WATCH: No need to undo pre-patch ActiveX killbit

ADS

Never reinstall your XP again
New technology: no set-up, no loss of data or applications. The ultimate professional repair tool. Free PC booster with every scan, get it now!
Reimage

Optimize your PC by updating your BIOS
Do you want to improve the performance of your PC? Phoenix Technologies' new BIOSAgentPlus is a program that will scan your PC and match the correct BIOS and specific driver updates you need on any desktop or laptop. Scan today for a free report!
BIOSAgentPlus

Free PC performance scan
"I repair computers for a living and was looking for a utility that would simply do what usually took me hours. PC Pitstop's Optimize did all of it and more. I am very satisfied with the product and have recommended it to numerous clients." Larry, CA ... Run a free PC Optimize scan now!
PC Pitstop

See your ad here

TOP STORY

Learn to read the obscure WindowsUpdate.log file

By Susan Bradley

Every moment your computer is on, a nearly undocumented Microsoft file — WindowsUpdate.log — maintains a record of your system's patching activity.

Making sense of the information in this update log can be a challenge, but I'll show you how you can use it to learn the inside story of your PC's update history.

In his June 25 and July 2 Top Stories, WS contributing editor Scott Spanbauer reported that Automatic Updates sometimes installs patches on PCs configured to require prior user approval.

The WindowsUpdate.log file can help us determine why Windows sometimes runs "forced patches" at shutdown time — displaying none of the expected notifications that patches are available.

Microsoft's text file can appear indecipherable at first glance, but at least it's easy to locate. On any Windows computer, browse to the C:\Windows folder to find WindowsUpdate.log. Note: To access this file, you may need to click Show the files in the right pane.

(In XP, you may see a second file named Windows Update.log. One file has a space in its name and the other doesn't. The one with the space is for an earlier version (V4) of the Windows Update engine. The log file without the space is the newer format and is the one you want to open.)

Open the file in Notepad or your default text editor. Make sure you start at the very top of the file. Depending on how recently and frequently a computer has been used, the log file may record activity going back several months or only a month or two. (See Figure 1.)

Figure 1. The WindowsUpdate.log file in the C:\Windows folder records your system's update activity.

First, look for the start of the log. This records the computer's settings when it boots up and describes some of the computer's components. The following is a snippet from the top of one such file (each line of the file begins with a date and time stamp):

2009-02-24 23:07:27:325 1052 46c AU ########### AU: Initializing Automatic Updates ###########
2009-02-24 23:07:27:341 1052 46c AU AU setting next detection timeout to 2009-02-25 07:07:27
2009-02-24 23:07:27:356 1052 46c AU # Approval type: Scheduled (User preference)
2009-02-24 23:07:27:356 1052 46c AU # Scheduled install day/time: Every day at 3:00
2009-02-24 23:07:27:356 1052 46c AU # Auto-install minor updates: Yes (User preference)

In line 3, the cryptic phrase "Approval type: Scheduled (User preference)" means that back on Feb. 24 — the farthest back this particular log file goes — the computer was configured to update automatically. As you'll see, this factoid can be useful to us.

Whenever you or some third-party application changes the PC's update settings, the information is recorded in the WindowsUpdate.log file, as shown below:

2009-07-03 19:01:30:531 1120 2cc AU ########### AU: Setting new AU options ###########
2009-07-03 19:01:30:547 1120 2cc AU Setting AU Approval Type to 2
2009-07-03 19:01:30:547 1120 2cc AU # Policy changed, AU refresh required = No
2009-07-03 19:01:30:547 1120 2cc AU # Approval type: Pre-download notify (User preference)
2009-07-03 19:01:30:547 1120 2cc AU AU settings changed through User Preference.

Line 2 indicates that on July 3, I changed the machine's setting for Automatic Updates (AU) to Notify me but don't automatically download or install them. Interestingly, the log file describes this as "Setting AU Approval Type to 2." Most Windows users, by contrast, consider this to be Option 3 in the AU dialog box. (See Figure 2.)

Windows XP Automatic Update settings

Figure 2. The WindowsUpdate.log file calls it "2," but it corresponds to Option 3 in the Automatic Updates dialog box.

As Microsoft explains in Knowledge Base article 328010, the AU options are inexplicably numbered by the log file (and such tools as the Group Policy Editor) in descending order:

4 means Automatic;
3 means Download but let me choose when to install;
2 means Notify me but don't download or install;
1 means Turn off Automatic Updates.

Most important is the fact that the log file clearly records when a change was made to this setting. If patches started automatically installing, but you thought you'd made your PC require your permission, you can scan the log file to see whether your setting was changed — and possibly by whom or what.

Tracking the source of an AU settings change

When you install third-party antivirus software, the program's setup routine may change the AU setting to "fully automatic" without letting you know. Windows Secrets articles on Oct. 25, 2007, and May 25, 2006, reported that this rude behavior was exhibited by Microsoft Live OneCare and Norton Internet Security, respectively.

When this happens, the log file indicates that the change was made by the user, even though you may not have understood — nor even had a clue — that the change had been made.

Still, locating these change entries in the log file can help you relate a software installation to the alteration of the machine's AU setting. At the very least, this lets you eliminate other causes for the switch.

How can you find out whether patches will be installed the next time you shut down your PC? An example of such a situation is shown in the following snippet.

Near the bottom of the WindowsUpdate.log file for my test system — which is set to "notify me" — four patches are identified as ones that will be installed automatically at shutdown time. This doesn't mean that the four patches have been downloaded yet — merely that they're ready to be approved by the user. The entries that provide this information are as follows (notice "4 updates for install at shutdown" in line 1):

2009-07-09 21:38:48:625 1112 4e0 AU AU found 4 updates for install at shutdown
2009-07-09 21:38:48:656 1708 6d8 Misc =========== Logging initialized (build: 7.2.6001.788, tz: -0700) ===========
2009-07-09 21:38:48:656 1708 6d8 Misc = Process: C:\WINDOWS\Explorer.EXE
2009-07-09 21:38:48:656 1708 6d8 Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2009-07-09 21:38:48:656 1708 6d8 Shutdwn Install at shutdown: found updates to install

The tricky part is confirming that your log file corresponds to the update alerts you expect to see. On my test XP PC, the yellow Windows-patch icon does show up in the notification area. (In Vista, the update-alert icon is bluish-green). If I click the icon to view the available patches, I see five updates listed. Funny — these aren't the same as the four that the log file indicates will be installed if I approve them. (See Figure 3.)

Choose updates to install

Figure 3. The WindowsUpdate.log file indicates that four updates are ready to be installed, but the selection window shows five different updates pending.

Why does the update dialog box show that Internet Explorer 8 will be installed in addition to the patches described in KB articles 961501, 963093, 969898, and 890830?

The discrepancy relates to the difference between patches being offered via Windows Update and those Microsoft is pushing.

At this writing, IE 8 is being offered as an update rather than being pushed. It may look to you as though IE 8 is going to be installed automatically. But as of today, it will install only if you select it. It will also install if you view available updates — as on my test XP PC — and fail to uncheck the IE 8 option.

Unless you read Microsoft blogs every day for fun, it's difficult to track the critical security patches — the ones being pushed — and the less-critical updates that are merely being offered.

When you choose the "notify me" option in AU, the update process is supposed to show an alert icon in Windows' notification area. You can click this icon to open a window in which you approve specific updates prior to installing any of them.

What if you shut down a PC without clicking the icon to select available updates? In that case, you should see a link that lets you shut down without installing patches this time around. (See Figure 4.)

Updates-available shutdown alert

Figure 4. The XP shutdown screen indicates that important patches will be installed when you turn off the system.

In the WindowsUpdate.log file, the following line represents the presence of the "install-at-shutdown" warning:

2009-07-09 21:38:48:656 1708 6d8 Shutdwn Install at shutdown: found updates to install

This line means Windows will display in its shutdown dialog box an option to control the installation of patches. To shut down without installing the pending patches — in case you want to research them further, for instance — you must choose Click here to turn off without installing updates. If you fail to select that option but instead click the normal Turn Off button, the updates will install automatically as the system shuts down.

A bug in the update process has been noted by many responsible observers. For some reason, Microsoft's usual "patches will be installed" indicators — the one in the notification area and the one on the shutdown screen — sometimes don't function properly. This occurs more frequently when Microsoft "throttles" its download servers, such as with the particularly large number of updates released on Patch Tuesday, June 14, 2009.

I hope my explanation of the update log will help you identify any mysterious behavior you may have experienced. Many individuals and companies must ensure that needed updates aren't installed before testing is completed for negative side-effects.

If a PC suddenly updates itself when it wasn't supposed to, WindowsUpdate.log can show you which settings were changed and when.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She's also a partner in a California CPA firm.

Table of contents

ADS

Get Windows news and tech tips daily
Replenish your mind with tech excellence! Visit the Infopackets site right now and get your daily fix of Windows news, reviews, tech tips, plus freeware goodies daily. Bonus: join our mailing list today and you'll also receive any of our highly coveted Top 10 Tech Reports, including PC Security Essentials, Windows Optimization Secrets, Top Freeware Antivirus Reviewed, MS Office Alternatives, and more.
Infopackets Windows Newsletter

Your old drivers are slowing down your PC
Driver Detective provides the most up-to-date drivers specific to your computer, including all major-brand OEMs (Dell, HP, Compaq, Toshiba, etc.) and generic brands. We access a database of over 9.2 million device-associated drivers — the largest driver update database on the Internet. Driver Detective saves you endless hours of work and aggravation normally associated with updating drivers.
Driver Detective

Get your message seen by 400,000 readers
Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 400,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement. Take advantage of our all-new design interface, allowing larger images and longer text, and get updated stats in real time!
Windows Secrets Newsletter

See your ad here

WACKY WEB WEEK

The transforming of the greatest 'blanket' ever

By Stephanie Small

Everyone's favorite blanket with arm holes — also known as the Snuggie — has returned with a vengeance. Once available only in solids, the new and improved version of the WTF blanket now comes in attractive dead animal prints!

Doing nothing never looked so stylish. Throw them on your couch to instantly uglify the decor, or wear one on your next at-home date to dazzle that special someone. And of course, the trusty book light still comes free with each purchase. So snuggle up with your fleecy backwards robe, grab your reading light, and plant yourself on the couch with the other potatoes! Play the video

Table of contents

BONUS DOWNLOAD

Green Home Computing for Dummies download

Free ways to save money and energy with your PC
This month's free bonus download for all our subscribers is Green Home Computing for Dummies by Katherine Murray and our very own contributing editor Woody Leonhard. The book is full of tips on how to reduce your PC's power cost, optimize your system's performance for better energy efficiency, and more! The printed volume isn't in stores yet, but all subscribers can receive our exclusive excerpt of two full chapters, now through August 5. Simply visit your preferences page, save any changes, and a download link will appear. Thanks! —Brian Livingston, editorial director

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

PERMALINKS

Use these permalinks to share info with friends

We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam," and corporate filters start blocking our e-mails.)

The following link includes all articles this week: http://WindowsSecrets.com/comp/090723

Free content posted on July 23, 2009:

TOP STORY
By Susan Bradley
Learn to read the obscure WindowsUpdate.log file
Tracking the source of an AU settings change

WACKY WEB WEEK
By Stephanie Small
The transforming of the greatest "blanket" ever

You get all of the following in our paid content:

	LANGALIST PLUS By Fred Langa How to correct Device Manager hardware errors Easy fix for your PC's recalcitrant hardware Did BitTorrent put 100GB of junk files on my PC? Internet Explorer 8 causes screen blackout
	WOODY'S WINDOWS By Woody Leonhard Important Windows 7 questions remain unanswered Release dates now known for some W7 markets Will the Win7 upgrade DVD install over itself? Does upgrading deactivate the old Windows key? What about pricing and the Family Pack? Are Vista Ultimate users getting shafted again? Will the Microsoft Store offer upgrade discounts? Is Windows 7 E more than a flash in the pan? Will my PC be able to run 64-bit Win7 versions?
	PATCH WATCH By Susan Bradley No need to undo pre-patch ActiveX killbit For some XP users, this update is strictly DIY Set up IE 8 post–XP, Vista, .NET service packs Without IE 8, you won't see Vista SP2 offered Microsoft Update is scheduled for stealth update Unpatched hole in Firefox 3.5.1 browser Google readies automatic update of Chrome Fix Adobe Reader and Acrobat to close Flash hole

Get our paid content by making any contribution

There's no fixed fee! Contribute whatever it's worth to you
Readers who make a financial contribution of any amount by July 29, 2009, will immediately receive the latest issue of our full, paid newsletter and 12 months of new paid content. Pay as much or as little as you like — we want as many people as possible to have this information.

A portion of your support helps children in developing countries
Each month, we send a full year of sponsorship to a different child. Your contributions in July are helping us to sponsor Luis Miguel, an 8-year-old boy from Jalisco, Mexico. Children International channels development aid from donors to Luis Miguel and his community. We also sponsor kids through Plan USA and other respected agencies. More info

Use the link below to learn more about the benefits of becoming a paid subscriber!

More info on how to upgrade

Thanks in advance for your support!

Table of contents

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets resulted from the merger of several publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Program Director: Tony Johnston. Web Developer: Damian Wadley. Research Director: Stephanie Small. Editorial Assistant: Allison Espiritu. Copyeditor: Roberta Scholz. Contributing Editors: Susan Bradley, Scott Dunn, Scott Spanbauer, Michael Lasky, Woody Leonhard, Ryan Russell, Becky Waring.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Table of contents